From September to December 2024, incidents involving CrossC2, an extension tool for Cobalt Strike Beacon on Linux, were confirmed. The attacker used CrossC2 along with other tools like PsExec, Plink, and Cobalt Strike to penetrate AD. A custom malware called ReadNimeLoader was used as a loader for Cobalt Strike. The campaign may have affected multiple countries. CrossC2 is an unofficial Beacon and builder compatible with Cobalt Strike 4.1+, designed for Linux and macOS. It contains anti-analysis features and encrypted configuration data. The attack flow involved java.exe, ReadNimeLoader, and OdinLdr to execute Cobalt Strike Beacon. Other tools used include SystemBC, GetNPUsers, and privilege escalation tools. The campaign shows potential connections to BlackBasta based on similar characteristics. Author: AlienVault
Related Tags:
ad
ReadNimeLoader
CrossC2
T1080
T1027.001
T1497.001
Cobalt Strike – S0154
T1003.008
T1027.002
Associated Indicators:
99D6B73B1A9E66D7F6DCB3244EA0783B60776EFD223D95C4F95E31FDE434E258
9E8C550545AEA5212C687E15399344DF8A2C89F8359B90D8054F233A757346E7
6246FB5C8B714707AC49ADE53E6FE5017D96442DB393B1C0BA964698AE24245D
E0E827198A70EEF6C697559660106CFAB7229483B0CD7F0C7ABD384A3D2EE504
28D668F3E1026A56D55BC5D6E36FAD71622C1AB20ACE52D3AB12738F9F8C6589
F79E047AE4834E6A9234CA1635F18B074A870B366FE4368C10C2DDC56DFBB1BC
0AB709728666F8759AD8DB574D4009CF74EBCE36EF2572EF52B058997A9B2A25
AC02AEE660D44A8BFBC69E9C46CF402FD41E99915E13D0DE3977E662EF13B2CA
AD90A4490D82C7BD300FDBBDCA0336E5AD2219D63EA0F08CEBC33050D65B7EF2